X-Clacks-Overhead vs diagnosis

I have a custom line in my nginx-conf:

add_header X-Clacks-Overhead "GNU Terry Pratchett" always;

Since the (great) diagnostics came available with Yunohost 3.8, my hosts won’t automatically get their Lets Encrypt! certificates renewed, because the config of nginx is manually altered.

I know I can add configurations in the conf.d-directory, but I am not sure how to add a single line in this way. Is it possible? I am quite attached do the Clacks-Overhead :slight_smile:

Not sure what this do but yes, just :

echo 'add_header Foo "Bar";' > /etc/nginx/conf.d/yourdomain.tld/add_header_foo.conf

Though you should not use add_header but more_set_headers for reasons too complex to explain here, but that’s a security risk … c.f. https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx and https://github.com/openresty/headers-more-nginx-module#more_set_headers

Thanks for moving to the right forum and for the security links, I see the problem (add_header works a bit like assigning a group to a user without append).

I will try …
echo 'more_set_headers X-Clacks-Overhead "[GNU Terry Pratchett](http://www.gnuterrypratchett.com/)" always;' > /etc/nginx/conf.d/akashaduocyen.nl.d/more_set_headers_pratchett.conf

… and test diagnosis and header output.

It has no direct usage, it is more like an obituary. Terry Pratchett was the writer of the Discworld-series; in one of the books an internet-like system is invented. One of the heros dies, and is remembered in the overhead messages of the system. Now the writer himself is remembered in the same fashion.

It took a few tries.

My first try would only give “GNU Terry Pratchett”, not the ‘clacks’-bit in the header. Below gives the result I was looking for:

root@akashaduocyen:/etc# echo 'more_set_headers X-Clacks-Overhead "X-Clacks-Overhead GNU Terry Pratchett" always;' > /etc/nginx/conf.d/akashaduocyen.nl.d/more_set_headers_pratchett.conf
root@akashaduocyen:/etc# service nginx reload
root@akashaduocyen:/etc# cat /etc/nginx/conf.d/akashaduocyen.nl.d/more_set_headers_pratchett.conf
more_set_headers X-Clacks-Overhead "X-Clacks-Overhead GNU Terry Pratchett" always;
root@akashaduocyen:/etc# curl -IL akashaduocyen.nl
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 30 Jun 2020 05:38:25 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
X-SSO-WAT: You've just been SSOed
Location: https://akashaduocyen.nl/yunohost/sso/?r=aHR0cHM6Ly9ha2FzaGFkdW9jeWVuLm5sLw==
X-Clacks-Overhead: GNU Terry Pratchett

HTTP/2 404 
server: nginx
date: Tue, 30 Jun 2020 05:38:25 GMT
content-type: text/html
content-length: 162
x-sso-wat: You've just been SSOed
set-cookie: SSOwAuthRedirect=;; Path=/yunohost/sso/; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Secure; HttpOnly; SameSite=Lax ;;
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-security-policy: upgrade-insecure-requests
content-security-policy-report-only: default-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-frame-options: SAMEORIGIN
x-clacks-overhead: GNU Terry Pratchett



PS, the actual goal of having a green light in diagnosis is also reached :sunny: